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I. INTRODUCTION 


The number of computers and computer networks has exploded over the past few 
decades, and computer security is a major concern. In a multi-level system where 
information exists with different security classifications, such as a military computer 
system, we want to protect information with a high security classification. И is desirable 
to have an automated tool to detect whether information we wish to keep secret in 
applications remains secret and is not leaked. This thesis introduces a program that will 
statically analyze a subset of Java programs to ensure that private information is not 
leaked. 

A. SECURE INFORMATION FLOW 

Verifying secure information flow within computer systems is necessary in order 
to protect sensitive information. especially in a military system. Denning and Denning 
state that information flow occurs from a storage object x to another storage object y 
when information stored in x is transferred to y, or used to derive information transferred 
to y. A flow may be either explicit or implicit [1]. 

Explicit information flow occurs when information is directly copied or 
transferred from one storage object to another. Consider the code segment "y := x". The 
information contained in x is directly copied into y, so information flows from x to y. 
The flow from x to y is independent of the value stored in x. 

Implicit flow occurs when information is indirectly copied or transferred from one 


storage object to another. If the variable x contains either 0 or 1, then the following code 


segment will copy the value of x into y using an implicit flow: 

у:= 0; M$(x= 1) then y := 1 
In this case, there is no direct flow from x to y. However, the value of x determines 
whether the then statement will be executed. The flow in both of these examples is 
allowed only if the security classification of y is at least that of x. For instance, if x were 
classified high then y must also be classified high in order for the code to be secure [1]. 
B. A TYPE-BASED TREATMENT OF SECURE INFORMATION FLOW 

Goguen and Meseguer introduced a notion of security for deterministic computer 
systems called noninterference [2]. The basic idea is that a system has users who may 
supply information with various security classifications to the system. A system satisfies 
the noninterference property if its low-level outputs remain the same when its high-level 
inputs are changed. 

Volpano and Smith [3] have applied this idea to programming languages. When 
applied to languages, the idea is that low-level program outputs are unaffected by 
changes in high-level program inputs. 

6: A TYPE INFERENCE ALGORITHM 

Volpano and Smith go on to describe an algorithm that is defined by cases on the 
phrases of a simple imperative language. The evaluation of an expression returns a 
principal type and a set of typing constraints. A typing constraint is an inequality 


between two types that are security levels. For example, if is type high and t' is type 


low then T' € t is a constraint. Note that т' = т is equivalent to t' € t and 1 € t. It is 


important to note also that the algorithm produces constraints among type variables, 


where a type variable ranges over types like high and low. Constraint-set satisfiability 
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can be used on the set of constraints to determine whether illegal flows exist in the 


program being analyzed, for instance, ifa constraint set contains high < low. 


The classifications, or types. over which type variables range, depend on the 
system being modeled. In a typical military system, the types would be unclassified, 


confidential, secret, and top secret. For the purposes of this discussion, we consider a 


simple system of only two types, high and low, where low < high. 


As an example of how the algorithm works, consider the case of the preceding 
assignment statement, y := x. Assuming x and y have already been assigned the type 
variables to and T; respectively, the following set of constraints will be generated by the 


type inference algorithm: 


{To < T2, T1 = 72,13 < 72) 


Therefore, the principal type of the expression is t3 cmd. The constraint set can be 


simplified to (10 €. 11, 13 €. 11). So, for the assignment statement y := x, the algorithm 


States that the classification of y must be at least as high as the classification of x. The 
second constraint allows downward coercion on command types [7]. 
D. AN IMPLEMENTION OF THE ALGORITHM 

This thesis presents a Java program that implements the type inference algorithm. 
The program is generated from a specification that is input to a compiler compiler called 
JavaCC. JavaCC is a tool that reads a grammar specification written in a LEX/ YACC- 
like manner and converts it into a parser for the grammar. The algorithm was 
incorporated into a grammar specification for Java 1.0.2 supplied with the JavaCC 


distribution. The actions specified by the algorithm were performed by adding Java code 
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(semantic actions) to the corresponding productions in the grammar specification. The 
generated parser is a secure flow analyzer for a subset of Java. Several statements, 
expressions, and other Java functionality were removed from the grammar specification 
because they are not currently supported by the type inference algorithm 
E. THESIS ORGANIZATION 

Work in the area of secure information flow and a lattice model of secure 
information flow are discussed in Chapter II, followed by a description of the secure flow 
type system in Chapter III. The type-inference algorithm is discussed in Chapter IV. In 
Chapter V, the static analyzer and the Java subset we consider are discussed. Chapter VI 
gives an example run of the analyzer, and Chapter VII discusses some possible future 


work and presents conclusions about secure flow analysis and the static analyzer. 


П. THE LATTICE MODEL OF SECURE INFORMATION FLOW 


The security mechanisms of most computer systems do not attempt to detect or 
prevent insecure information flows. Computer system security requires that programs at 
high security levels be unable to transfer information to low security users or programs. 
Most access control mechanisms are concerned with direct access control and are not 
concerned with information flow channels that may exist. Other systems rely on the 
trustworthiness of processes [5]. 

In the lattice model of secure flow, a flow policy is represented by the poset 
<S, >> [5]. S is a set of security classes and > is a partial order, called the flow 
relation. The flow relation specifies permissible flows between the security classes. 
Every variable x is assigned a security class, denoted x, that is statically bound to x and 
that can be determined at compile time from declarations given in the program. If x and 
y are variables in a program and an information flow from x to y exists, then the flow is 
allowed if x y [6]. 

Each programming construct has a certification rule. Some rules, such as 
assignment statements, certify explicit flows and other rules, such as if statements, certify 
implicit flows. An assignment statement, x :7 y, will be certified if x > y. The rules for 
conditional constructs such as the following if statement certify implicit flows. 

if x = 0 then y := 0 else z := |] 
This statement is certified if x y and x  z. 

Ifthe poset <S, > is a lattice, then there is a unique least upper bound and 

greatest lower bound for any pair of classes. A simple grammar consisting of synthesized 


attributes can be given to certify programs. The attributes are security classes computed 
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using the least upper bound, lub, and greatest lower bound, glb, operations. For example, 


the certification requirement for the above if statement becomes the single condition 


x > glb(y, z) [6]. 


IM. A SECURE FLOW TYPE SYSTEM 


Volpano, Irvine, and Smith describe a type system consisting of a set of type 
inference rules and axioms for deriving typing judgements. The types of the system are 
divided into three levels. One level contains data types, which we refer to as v types. 
These are the security classes of Denning's model and they are partially ordered, for 


example, low < high. 


At the next level, are the z types. They consist of the data types t, command 
types t cmd and the procedure types 
T proc(T¡, T2 var, T; acc) 
A variable of type z var means it can store information at level t. A command has type 
t cmd only if every assignment in the command is made to a variable whose security 
level is t or higher. Lastly, the t in the above procedure type refers to the security level 
of its body. That is, a call to a procedure of this type would have type t cmd. 
At the third and final level are the p, or phrase. types. They consist of are the 
z types, type T var and type т асс (ме ignore type t acc). So, our procedure types, in this 
this, are of the form: 
T proc(Tı var,...,Tn var) 
The partial order on z types is extended to a subtype relation over phrase types. 
The subtype relation is anti-monotonic in the types of the commands. meaning if t is a 
subtype of t', then t' cmd is a subtype of t cmd. The intuition here is that if one can read 


level 7' (high) information then they can read level z (low) information. There is also a 


> 


typical type subsumption rule that states if a phrase has type p then it can be assigned a 
type p' if p is a subtype of p' [7]. 
The typing rules of the system guarantee secure explicit and implicit flow. 
Consider the typing rule for assignment: 
yl-x:tvar 
yle:r 
yl-x:- e: cemd 
where y is an identifier typing that maps identifiers to p types. The rule states that the 
explicit flow from expression e to variable x is secure if e and x have the same security 
level. This does not prevent e from having a lower security level than x, because 
subtyping allows the level to be coerced upward. 
The next example shows a rule that deals with a situation where an implicit flow 
exists. Consider the following program phrase where x is either 0 or 1: 
if x = 1 then y := 1 else y := 0 
There is no explicit flow from x to y, but when the phrase is executed, y will contain the 


value of x. To guarantee the implicit flow from x to y is secure, the following typing rule 


is used: 
y|-e:T 
у|- с: тста 
у|- с’: тета 


y |- if e then c elsec' : r cmd 
The commands c and c' must have type t cmd, because information of type t is implicitly 
known by evaluating the predicate e. Therefore c and c' can only make assignments to 


variables at security level t or higher. The rule requires e, c, and c' to have the same 


security level, namely t. Nevertheless, an upward implicit flow from e to c and c' can be 
accommodated by subtyping. 

There is also a rule for local variable declarations. A local variable declaration of 
the form 

letvar x := e in c 
creates a variable x with an initial value e, whose scope is command c. The initialization 
of x may cause an implicit flow, but it is always harmless. 

Two lemmas are needed to prove type soundness: Simple Security and 
Confinement. Simple Security applies to expressions and Confinement applies to 
commands. Ifan expression e can be assigned type 7, then Simple Security states that 
only variables of type t or lower will be read when e is evaluated (no read up). 
Confinement says that if a command c can be assigned type t cmd, then every variable 
that is updated in c has security level t or higher (no write down). These two lemmas are 
used to prove that the type system is sound. Soundness is formulated as a 
noninterference property. The noninterference property states that variables in a well- 
typed program do not interfere with variables at lower security levels. 

It is possible to automatically check whether a program is well typed, using the 
techniques of type inference. The basic idea of type inference is to use type variables to 
represent unknown types in a program, and to generate constraints in the form of 
inequalities. An assignment of types to these variables must satisfy the constraints in 
order for the program to be well typed with respect to that assignment. A principal type 


can be formulated that represents all possible types the program can be given. 


IV. ASECURE FLOW TYPE INFERENCE ALGORITHM 


A type inference algorithm that ensures secure information flow is described in 
this chapter. Volpano and Smith have extended the type system discussed in the previous 
chapter to a simple language with first order procedures [3]. They also prove the 
noninterference property for the system in order to establish the type soundness in the 


context of procedures. Figure 1 shows the core language they considered. 


expressions ::- x|n|/| 
er + e | 
proc(in x;, inout x2, out x3) c 


commands ::= су; сә | 
If e then c; else c; | 


while e do c | 

e] := е. | 

letvar x :- e in c | 

letproc x (in x;, inout x2, Out x3) c inc’ 
een eses) 





Figure 1. Core Language 

For expressions, meta-variable x ranges over identifiers, 77 ranges over integer literals, 
and / ranges over locations. Expressions also consist of anonymous procedure 
expressions. Their names are provided via letproc. 

Commands consist of the following: composition of commands, if, while loops, 
assignment, variable declarations, procedure declarations, and procedure calls. 

Volpano and Smith give a secure flow type inference algorithm in [3]. It is shown 
in Figure 2 and is defined by cases on the phrases of the core language. The algorithm 


takes as inputs a location typing A, an identifier typing y, a program phrase p, and a set of 


WA,T,p,V) = case p of 


x: case 7(z) of 
r:({F <a},a,VU{a}) < g V 
Tvar:({r<a),a,YU{a}) C g V 
default : fail 


n:({},a,VUf{a}) agV 
1: (A) Saja, VU{a}) «ЕУ 


е Без : 
let (C1, A, V’) = WA, 7,61, V) 
let (Ca,%,V") = W(A,7,¢2,V’) 
з (СОС ол =}, А, И") 


proc (in z;, inout z5, out rs) c: 
let (C, T cmd, V’) x W(A, 3[z1: a, z2 : B var, zs3 : 6 acc], c, V U (a, 8,6)) 
in (C, T proc(a, 8 var, 6 acc), V) «a 8 and é6 g V 


cı; ca : let (Ci, ста, У") = И(А, 7, с, У) 
let (Ca,R cmd, V") = W(A,T, ca, V”) 
m (С, UC;U(n = Ts), ñ" emd, V”) 


if e then ci else cj: 
let (C,7,V') = W(A,7,¢,V) 
let (C, cmd, v") = WA, т, cı, V’) 
let (C4, 9 ста, И") = (А, 3, ca, V") 
in (CUC, UC, U{T=7=R,a <T},acma,V"U{a}) су” 


while e doc: 
let (C,7,V") = W(A,7,6,V) 
ес (С', 7 cmd, V") = W(A,7,¢,V') 
in (CuUl’u{r=rT,a<r},acmd,V"u{a}) <= g V“ 


біш ебі” 
let (C, 7", V") 2 W(4,7, ea, V) 
case сє, of 
z: Их) = F var or F(z) = 7 acc then 
(Cu{7=F,a <7} a cmd, V'U{a}) ea g V' 


else fail 
l: (CU{A N =7 0 <7) a cmd, V'Ula)) «ұу! 
default : fail 


letvar r := e inc: 
let (C,7, V) Z W(A, 3, e, V) 
let (C', ' cmd, V") zz W(A, 3[z : P var], c, V^) 
іп (СОС? сті, У") 


letproc z(in z;, inout z5, out zs) c in c': 
let (C, x, V^) 2 W(4, 3, proc (in z,, inout z3, out zs) c, V) 
let (C', f cmd, V") — W(A, 7, [proc (in 11, inout z2, out zs) c/z]c', V") 
ір (СОС, сті, У") 
e(e1,e2,€3): 
let (C,F proc(n, T var, % асс), У') = W(A, 7, e, V) 
let (C',?,V*) - W0,35, e, V") | 
let C” = case ez of 
z: if yz) =P" var then CUC'U (*' — 7,7" — 75) else fail 
1: CuCu{r=7,A) =m} 
default : fail 
in case es of 
z: if (z) = "var or 7(z) z *" acc then (C" U (7" = $33), T cmd, V") 
else fail 
1: (C^ U (A() = $), emd, V”) 
default : fail 


Figure 2. Volpano-Smith Type Inference Algorithm 


type variables V. A location typing maps addresses to t types and an identifier typing 
maps variables to types t and t var, for some t. The latter treats free variables in a 
program, while the former treats free addresses. We shall assume programs have no free 
addresses, and drop A from the implementation of the type inference algorithm. The set V 
contains a list of previously-used type variables and allows the algorithm to choose new 
type variables. If the algorithm succeeds, it returns a triple consisting of a set of 


constraints C, a type m, and the updated set of stale variables V. The constraints in C are 


inequalities among type variables. 


To illustrate how the algorithm works, we give an example from [3], shown in 


Figure 3, of a procedure that indirectly copies a variable x to another variable y. 


proc (in x, out y) 
letvar a := x in 
letvar b := 0 in 

while a > 0 do 


b:=b+1; 
а:=а - 1; 
y :=b 





Figure 3. Example Program 
Figure 4 shows the results of calling the algorithm on the procedure. The algorithm yields 
a triple consisting of a set of stale type variables V, the list of generated constraints and 
the type of the procedure, here denoted by xr. This triple is used to form the principal 
type for the procedure. 
Type simplification can be used to simplify the constraint set C and type z [8]. 
The static analyzer developed for this thesis does not include any mechanism to perform 


type simplification and such simplification is shown here for demonstration purposes 
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A ae e d e) 
C= laeasyyv-ose-wuvtz&se-GytS&i-uUó^-^mnitsóÓ 


п Одлу к оу Ел ук Пет ос поса 
m= (у proc(a, д асс)) 





Figure 4. Algorithm Results of Sample Program 
only. The first step collapses the strongly connected types and produces a more useful 


form, as shown in Figure $. 


MEE QU 


{б<ё&о<А4,А<ба<А\ 
(о proc(a, €acc)) 





Figure 5. Algorithm Results after Type Simplification 


Further simplification is possible leading to the x in Figure 6. 


n = (Sproc(s, Sacc)) 


Figure 6. Principal Type after Applying Monotonicity-Based Instantiations 
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V. IMPLEMENTATION OF THE TYPE INFERENCE ALGORITHM 

The static analyzer that performs the security checks specified by the type 
inference algorithm was developed using the Java Compiler Compiler (JavaCC). JavaCC 
takes, as input. a grammar specification. The output is a Java program that will parse the 
specified language and perform the semantic actions indicated in the grammar 
specification. 

Rather than start from scratch and build a JavaCC specification for the language 
in Figure 1, we started with a grammar specification for Java 1.0.2, which we modified to 
reflect the language in Figure 1. Semantic actions were added to encode the type 
inference algorithm. The specification is given in Appendix A. There are several 
restrictions imposed on the kinds of Java programs that the static analyzer can check 
because there are many constructs in the Java language that are not currently treated in 
the type inference algorithm. Each of the phrases in Figure 1 was mapped to a 
corresponding expression or statement in the Java grammar specification. 

A. A BRIEF LOOK AT JAVACC 

JavaCC constructs a Java program that acts as a recursive descent parser for the 
language described by the grammar specification. A sample from the Java 1.0.2 grammar 
specification is shown in Figure 7. The sample shows three productions that are used to 
parse a Java method declaration and parameters. JavaCC converts each production into a 


method in the generated parser. 


15 


void MethodDeclarator() 
tj 
{ 
«IDENTIFIER» FormalBParametersq)-( Vio “1 77% 
} 


void FormalParameters() 


FormalParameter () ( "," FormalParameter() )* ] ")" 


void FormalParameter() 
(] 
{ 
Type() VariableDeclaratorId() 
) 





Figure 7. Sample Productions 

Each production begins with the return type of the corresponding method in the 
parser, which is void for the three productions in Figure 7. The name of the production 
will also be the name of the method in the parser. Parameter passing can be adding to the 
productions in the same way it is used in Java programs. 

There is a notion of "calling" a production because of its relationship with the 
corresponding method in the generated parser. For example, if the production 
FormalParameter () in Figure 7 is called, it will in turn call the productions 
Type ()and VariableDeclaratorId(). 

Java code can be added anywhere in the production, but must be enclosed in curly 
braces, "1 1". When JavaCC converts the production into its corresponding method, the 
added code will remain where it was placed. Local variable declarations for any 
production should be inserted in the first set of curly braces of that production. In the 


three productions shown in Figure 7, there are no local variable declarations. 


B. IMPLEMENTING THE ALGORITHM USING JAVACC 

There are two main data structures in the implementation of the algorithm. The 
first is called gamma, and contains identifier typings. The second is called triple. and 
consists of the items returned by the type inference algorithm, namely, a set of constraints 
C. a type л, and a list of stale type variables V. 

The initial attempt to implement the algorithm used two Stacks from the Java 
utility package. The gamma stack held objects called gamma items. A gamma item 
consisted of a variable name and its type variable. The triple stack contained the triple 
items consisting of the constraint set in the form of a linked list and the principal type. 
The set of stale type variables was kept in a separate symbol generator for the entire 
program. 

The idea of the gamma stack was to push a gamma item whenever a new variable 
was encountered and to pop the stack when the variable's scope ended. It became 
apparent that determining when the variable's scope ended was going to be a difficult task 
unless the analyzer kept track of more information about the variables being declared. 
The analyzer soon had four separate stacks to keep track of the important information. 
The triple stack had similar problems. 

It was determined that all of the external stacks could be eliminated if the run time 
stack was utilized. In this implementation, gamma became a linked list of gamma items 
that is passed as a parameter from one production to those productions it calls. In 
addition, each production returns a triple that contains all the constraints generated in the 


program. This did pose one problem. A local variable declaration requires an update to 


the gamma list with the variable's type information and it also requires the generation of a 
new triple item. Both must be returned to the calling production. 

This problem may be overcome by adding new productions to the specification 
but the productions were not added in this implementation. Instead, a new data structure 
was developed to simply hold the new gamma list and the generated triple so that both 
the gamma list and the generated triple could be returned. The structure, called Dual, was 
later updated to also hold a string when a similar situation arose in the method declaration 
production that required a gamma list and the string representation of a token to be 
returned. 

Each of the commands and expressions of the core language listed in Figure 1 are 
"mapped" to one or more productions in the Java 1.0.2 grammar specification. Mapping 
the algorithm to the Java specification was performed in two steps. The first step was to 
determine which productions in the grammar specification correspond to commands or 
expressions in the core language. Once the relationship between the core language and 
grammar specification was established, the second step entailed encoding the semantic 
actions specified by the algorithm and placing the code in the corresponding productions 
of the grammar specification. We consider, in turn, each of the cases of the algorithm in 
Figure 2. 

Case "x" 

The Name () production in the grammar file is an instance of case x. Name () 
returns a string representation of the current token when the production is called. The 


type inference algorithm requires the type of x, t or t var, to be determined. The type 
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resolution of the token that corresponds to x is performed within the production that calls 
Name (). 

Case "n" 

The Literal() production is an instance of casen. Literal() accepts the 
Java primitive types of integers, floating point numbers, characters. strings. boolean 
values "true" and "false", and "null". 

Case "I" 

The third case statement, /, deals with locations and is not implemented in the 

Java grammar. 

Case "e; + e" 

The expressions below are all instances of case e; ^ e»: 
ConditionalOrExpression() 
ConditionalAndExpression() 
InclusiveOrExpression() 
ExclusiveOrExpression() 
AndExpression() 
EqualityExpression() 
RelationExpression() 
ShiftExpression() 
AdditiveExpression() 
MultiplicativeExpression() 

Case "proc(in xı, inout x2, out x3) c" 

The case in the algorithm for procedure declarations has the following form: 

proc(in xi, Inout x», out x3) c 
The modes of the parameters, in; inout; and out, are similar to those used in the Ada 


programming language. The productions dealing with procedures starts with the 


MethodDeclaration() production. The name of the procedure and the parameters 


are treated in a call to the MethodDeclarator () production. The parameters are 
added to the environment with a call to the FormalParameters () production so they 
may be referenced in the body of the procedure. MethodDeclarator () returns the 
procedure name and the types of the parameters. All parameters are considered to be 
inout mode and are typed as such, meaning they have type t var for some t. Finally the 
body of the procedure, c, is handled in a call to the Block () production. The static 
analyzer does not handle recursive procedures or method declarations. 

Case "cr; c;" 

Next in the algorithm is the statement for composition, c1; cz. Composition within 
a block, delimited by { }, is handled by the BlockStatementList () production. 
The original Java grammar specification handled composition inthe Block () 
production. It was necessary to add the production BlockStatementList () to 
handle the letvar statement. Changes to the grammar specification for the letvar 
statement are explained later in this section. 

Case "if e then c, else c" 

If-then-else statements are handled by the IfStatement () production in the 
grammar specification. The else portion of the statement is not mandatory in Java. If it 
is not used, then the semantic actions in the algorithm pertaining to the else statement are 
not executed. 

Case "while e do c" 

The next case is the while loop of the form, while e do c. It has been mapped to 
both the WhileStatement () and DoStatement () productions in the Java 


specification. 


Case "x := e" 

The assignment statement x := e is mapped to Assignment (). Note that ": =" 
is not the only assignment operator allowed: others include: "*=", "/=", "+=", and "-=". 
A modification to the grammar specification was required here. The Java 1.0.2 grammar 
specification Assignment () production is listed in Figure 8. The production, 
PrimaryExpression(), may be evaluated asa literal (),Name(), 
Expression().orAllocationExpression(). PrimaryExpression() 1s 
also called from a number of other productions as well and those productions require that 
PrimaryExpression() return a triple consisting of a constraint set, a type, and a list 
of stale type variables. However, the Assignment () production requires that 
PrimaryExpression() return the type of x from the identifier typing y. For this 
reason, a new production, PrimaryLeftExpression (), was introduced into the 
Grammar specification. It returns the string representation of x, so that it may be 


referenced in y, and replaces PrimaryExpression() inthe Assignment () 


production. 


void Assignment () 
Ul 
{ 


PrimaryExpression()AssignmentOperator()Expression() 


} 





Figure 8. Assignment Production 


Case "letvar x := e іп с" 

Mapping the letvar statement to the Java language required another modification 
to the Java grammar specification. The original specification handled local variable 
declarations at the same level as all other statements within BlockStatement (). The 


original Java specification productions that handle local variable declarations are shown 


in Figure 9. 


void Block () 
{ } 
{ 
( BlockStatement () )* "}" 
} 


void BlockStatement () 
© 
{ 
LOOKAHEAD (Type () <IDENTIFIER>) 
LocalVariableDeclaration() ";" 
| 
Statement () 
) 


void LocalVariableDeclaration() 
(] 
{ 


Type() VariableDeciarator() ( "," VariableDeclarator() )* 
} 





Figure 9. Java Specification Productions to Handle Local Variable Declarations 
In the original grammar specification, composition is handled in the Block() 
production. The * operator indicates that the production(s) within the preceding set of 
parentheses is called zero or more times. Two new productions, 
BlockStatementList() and LetvarStatement (), were added to the grammar 
specification because it is necessary to pass the identifier typing y, updated with a typing 
for x, to the production that parses c in letvar x - e inc. The original Java 1.0.2 grammar 


specification had no productions specified for c, so BlockStatementList() was 


һә 
2 


introduced to handle this problem. In the modified grammar specification, Block () 
calls BlockStatementList() once perBlockStatement(). 
BlockStatementList (). the production used to handle composition, calls 
BlockStatement () zero or more times. BlockStatement () calls 
LetvarStatement () ifa local variable declaration is found, otherwise, 
Statement () is called. LetvarStatement () first calls 
LocalVariableDeclaration() to handle the declaration, then 
BlockStatementList () to parse the rest of the program that is within the scope the 
new variable. The section of the modified grammar file is listed in Figure 10. 

Case "letproc x(in xi, inout x2, out x3)c inc’ "' 

The next case in the type inference algorithm, letproc, allows procedures to be 
used polymorphically and was not implemented in the Java grammar specification. 
Therefore, all procedures are treated as monomorphic in the analyzer specification. 
Moreover, only static methods are allowed because that is the only kind of method the 
algorithm treats. 

Case "e(e;, ез, ез)" 

The final case in the algorithm types procedure calls. The Java specification 
handles procedure calls in the PrimaryPrefix() production. First, the 
name of the procedure is found in the identifier typing , y, then the types of the arguments 
are compared with those retrieved from y. The original grammar specification for Java 
allowed arguments to be expressions. In the modified specification, all parameters must 


be either a literal or a previously declared and initialized variable name. 


мола Block) 


[) 
| 
"(" BlockStatementList() ")" 


} 


void BlockStatementList() 
i 
{ 
( LOOKAHEAD (2) BlockStatement () )* 
} 


void BlockStatement () 

(1 

( 
LOOKAHEAD( Type() «IDENTIFIER? ) 
LetvarStatement() 

| 
Statement () 

} 


void LetvarStatement () 
[) 
[ 
LocalVariableDeclaration() ";" BlockStatementList() 


| 


void LocalVariableDeclaration() 
() 
{ 


Type() VariableDeclarator() ( "," VariableDeclarator() )* 
} 





Figure 10. Specification Changes for letvar Statement 


All of the source code files used to implement the static analyzer are given in 


Appendix B. 
С RESTRICTIONS IMPOSED ON PROGRAMS 


The type inference algorithm in [3] does not treat an object-oriented language like 
Java. Although we started with a JavaCC specification for Java, the result was not an 
analyzer for full Java but rather an analyzer for that subset of Java corresponding to the 


simple language in Figure 1. So how big is this subset? 
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First, the subset that can be analyzed has no objects, and consequently no instance 
variables or instance methods. 

Second, all expressions must be free of any side effects. This is the reason that 
assignment expressions in Java are prohibited, as are pre and post increment 
"expressions". They all violate the confinement property. 

Other restrictions on Java programs include that they be closed (no free 
variables), that they have only non-recursive static methods, that they have no methods 
with a return type other than void, and that they have no forward references. Yet, other 
restrictions are imposed because certain constructs were not treated in the algorithm of 
[3]. They include try-catch blocks, synchronized blocks and so on. In summary, the 
following features of Java are not analyzed: 


Static Initializes 
Arrays 
Explicit Constructor Invocation 
Conditional Expressions 
Instanceof Expressions 
PreIncrement and PreDecrement Expressions 
PostIncrement and PostDecrement Expressions 
Cast Expressions 
Allocation Expressions - (object creation) 
. Labeled Statements 
. Switch Statements 
. For Statements 
. Break Statements 
. Continue Statements 
. Return Statements 
. Throw Statements 
. Synchronized Statements 
. Try Statements 
. Catch Statements 
. Finally Statements 


ea Oe а а 


м- е ےم‎ 
Deo © 


———— — w سم‎ 
N бо JD ئ‎ su 


tO 
© 


The constructs that have been disallowed have only been commented out in the 
grammar specification file listed in Appendix A in order to allow for their 
implementation in the future. This means they cannot be parsed in the current 


implementation. 
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VI. ANEXAMPLE RUN OF THE STATIC ANALYZER 


The program in Figure 11 illustrates an application of the static analyzer. It 
corresponds to the example program of Figure 3, in Chapter III, written in Java. 
However, it is not identical. for Java has no parameter-passing mode corresponding to 
mode out. Nevertheless, it serves to illustrate the analyzer. The results of the static 


analyzer when run on this program are shown in Figure 12. 


class test 
{ 
publie statie void pline x, ant y) 
{ 
int a 
int b 
while 





Figure 11. Static Analyzer Test Program 


o. Tis t5 Ti 04 05, fo, C5. Te ТОТО ТИ, bids Tiss TIS) 


tua me u bb твор 


T3 € te, t11 € T9, t9 = Тә То = To, 72 € to, t14 € Tis, T1 = T13, T3 < Т3, То < Т) 


Tı2 Proc(Tovar, Tıvar) 





Figure 12. Test Program Results 


We sketch a trace of the analyzer on part of the program. The parameters, x and 


y, are the first tokens to be analyzed. They are assigned the type variables to and Tı 


respectively. Then the varıable declaration: 
int a = x 
is analyzed. A new type variable for x, namely t», is created and the constraint set 


(to € t2) is generated. The constraint is generated by the case for identifiers where an 


upward coercion is introduced (see Figure 2). The variable a is assigned the type 
variable t» in analyzing the rest of the program. 
Next, the variable declaration: 
int b = 0 
is analyzed in the same manner, except that no constraint is generated since O is an 
integer. This is the integer literal case of the type inference algorithm. Finally, b is 
assigned the type variable t3. At this point, gamma contains the following types: 
Ix ce bined: be Bs De 


and only one constraint, то < t>, exists. 


Next, the while loop 
while(a > Q) 
is analyzed. The predicate, a > 0, is checked first and generates the following new 


constraints: 
ры. мг, 
The first comes from the identifier case of the algorithm (upward coercion of a's type) 


and the second comes from 1, - t; in the case for ej * e? in the algorithm of Figure 2, 


where Ті = ¿and t; = Ts The rest of the program is analyzed in the same manner. 


VI. CONCLUSIONS 


As we rely more on computer systems, secure flow analysis is a necessary tool to 
protect the information stored on these systems. Denning's work [1] [5] provides a good 
base of knowledge for secure information flow. The Lattice Model consists of a set of 
storage objects, a set of processes, and a set of security classes. Each storage object is 
bound statically or dynamically to a security class. Security classes are required to form 
a lattice, hence the name. A flow relation indicates permitted information flows between 
security classes. The lattice shows all allowed information flows within the system. 

Volpano and Smith [3] treat the model in the context of a type system and prove 
the soundness of the type system. They also give a type inference algorithm for the 
system. This thesis describes an implementation of that algorithm using JavaCC. The 
result is a static analyzer that checks for secure information flow at compile-time. 

The static analyzer can only analyze a subset of the Java 1.0.2 language. It may 
be too limited to allow one to write interesting and useful programs. Future work might 


focus on analyzing a larger subset of Java. 
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APPENDIX A - JAVA GRAMMAR SPECIFICATION 
The following pages represent the modified Java 1.0.2 grammar specification that 
is the input to the Java Compiler Compiler. The original grammar file was developed by 
Sriram Sankar on 6/11/96 and 1s copyrighted by Sun Microsystems Inc. Semantic actions 


were added to the original grammar to perform secure flow analysis on a subset of Java 


1.0.2 programs. 


UJ 
„ә 


+ 


Copyright (C) 1996, 1997 Sun Microsystems Inc.” 


Use of this file and the system it is’ part Of 1S constrained by the 
file COPYRIGHT Iin the root directory el this System. You may, 
however, make any modifications you wish to this file. 


+ ж ж Ж ж ж 


Java files generated by running JavaCC on this file (or modified 
versions of this file) may be used in exactly the same manner as 
Java files generated from any grammar developed by you. 


Author: Sriram Sankar 
Date: 6/11/96 


This file contains a Java grammar and actions that implement a 
front-end. 


Modified 24 Feb 98 by LT James D. Harvey, USN. 


Modifications have been made to incorporate a type checker into the 
compiler. Several portions of the Java language have been disabled 
in this version because the type checker does not support them. The 
portions that are not implemented are as follows: 


Static Initializers 

Arrays 

Explicit Constructor Invocation 
Conditional Expressions 
Instanceof Expressions 
PreIncrement and PreDecrement expressions 
Cast Expressions 

Allocation Expressions 

Labeled Statements 

Switch Statements 
Forzstatemenes 

Break Statements 

Continue Statements 

Return Statements 

Throw Statement 

synchronized Statement 

Try statement 


+ + ЖА Жа + ++ + АЖ + Ж ++ *+*+ + + ko ko OH + + АО + +++ HH HH HH HH Hr 


* Permission to reproduce has been obtained from Sriram Sankar of Sun Microsystems. 
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crti ions | 
LOORAHEAD. = ars 
JAVA UNICODE ESCAPE = true; 


EA 


| 


PARSER BEGIN(JavaParser) 


import Enesis. > 


public class JavaParser | 


(0 


tatic SymbolGenerator sg = new Symbolceneratoni4se 


public static void main(String argsli) | 


`n t 


JavaParser parser; 
Triple ConstraintSet; 


Gamma gamma = new Gamma ("myGamma"); 
if targs.length == 0) i 
System. out .printin(!"Java Parser Versıon 1.0.2: Reading om 
standard Mapu c 
parser = new JavaParser(System. in); 
) else if (args.length == 1) | 
System.out.printin("Java Parser Version 1.0.2: Reading from file 
ао 5 
Ery i 
parser = new JavaParser (new java.io.FilelnputStream(args[0])); 
| catch (java.io.FileNotFoundException e) ( 
System.out.printin( Java Parser Version 20072. Fike =] 
argslo Eg ROC TOUT 
rteLuürfn, 
| 
} eise { 
System.out.println("Java Parser Version 1.0.2: Usage is one 
EDI) s 
oystem.out.pripntlini" java JavaParser « inputfile"); 
SS term, Ont pri In POR”); 
ЭЕ оис: реиси” java JavaParser inputfile"); 
return; 
| 
tr a 
onstraintSet = parser.CompilationUnit (gamma); 
System.out.println("Java Parser Version 1.0.2: Java program 
parsed successfully."); 


} catch (ParseError e) | 
System. out.printin( “Java Parser Version 120022 ntospnsepec 
errors during parse. е 


PARSER END (JavaParser) 


ЧАЈ 
ол 


(л 
A 
H 
FU 


JDOSWHTTECSPALE Y 


—— 


е 
үн 
чүү 
nx 


SPECIAL TOKEN, 3 7* COMMENTS. *7 
| 
Е И Ие ои 


| <FORMAL_COMMENT: er СК ex te 4 re үк | а САКАУ 

NI ss TR 

| <MULTI LINE COMMENT: чо" (e [t m a "жə. (ыса | (x p Ee TE чө] aa: 
aa IS 


1 
J 


TOKEN : /* RESERVED WORDS AND LITERALS */ 
{ 
ABSTRACT: “abstract > 
BOOLEAN: "boolean" > 
BREAK: "break" > 

Beles “Буре” > 

CASES “саѕе > 

CAICH: "catch > 

СНАВ "char" > 

CLASS: "class" > 

CON T: o e onst 2 
CONTINUE: сапсуе > 
DEFAULT: "default" » 
DOS. oo = 

DOUBLE: "double" > 

LSE: "else" > 

EXTENDS: excends" > 
FALSE: “false > 

FINAL “final” > 
FINAL. ina > 
FLOAT? FEloat'” > 

В Si aie eo 

GOTO Goro” > 

Е 

IMPLEMENTS: "implements" > 
IMPORTO "IDOL. > 
INSTANCEOF: "instanceof" > 
EN. INE > 

INTERFACE: "interface" > 
LONG long. > 
NATIVE: native > 
NEW: "new" > 
Nui: Saul" > 

PACKAGE: "package"> 
PRIVATE: "private" > 
PFOTECTED protected" > 
UPL pubie > 
RETURN: "return" > 


И АЛ Пе ЛЕ 


N A A A 


NINA 


OR SUN CIN 


МАЛА 


ЖАТА АСА 


A A 
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SHORT: Shorn » 
"ROS TEE: “static” > 
SUPER: "Super" > 
SWITCH: Switch” 
SYNCHRONIZED: "synchronizea” > 
©. 
THROW: "throw" > 
THROWS: "throws" > 
TRANSIENT: "transient" > 
TRUE: true’ > 
TA CITTA 
MODOS OMT 
VOLATILE: "wöolatile" > 
WHILE: “white” > 


A 


AN 


N ARIN AED КИИС У 


= سے سد سے kasa‏ 


TOKEN 5 7* LITERALS */ 


{ 
« INTEGER LITERAL: 
<DECIMAL LITERAL» (["1","L"])? 
РНЕ LITERAL FIN "27172 
ISKOCTAL LITERAL (PLL 


< RDECIMAL К КЕДЕ О" | ) + > 
ЕЕ ы еы нын ун лс a EA ns Y wre 


S ТОСТАР LIBERAL: ОО 


A 


FLOATING_POINT_LITERAL: 
Е (5 
и 
о en e 
| (["0"-"9"])4 <ЕХРОМЕМТ> (["Е", "Е", "а", "р"] )з 
MOS (EXPONEN ОТ Ea] 


HEXPONENT: Е (pnm ao» ([ror-"g"])+ = 


A 


< CHARACTER LITERAL: 
ӘП Із a 
5 
(nn n pn A MS NEL E 
Ei cc NN SEE = 
Е вести 
) 


ment 
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“ЗАТЫ БІЗБЕН; 


[ONES NES тант 
poe 
ОА O s S A A s nsn S 
Ш о y? 
p q A 
| 
| 
ү 
511 


) 


TORBN СҮЛ TOENTIFIERS a 
[ 
2 EDENTIETER SSL ETTER > (S pTTpëp>s I DICIT) > 
| 
< HEDETTEE: 
[ 
O СЫН 
По. 
"UOS 
БОЕ". 
ое вю". 
"suddas =" 40026", 
PV UOCEs “="\a00 RE”, 
MON OU =" ad rn, 
Bc о, 
и Eu 
ое", 
о Е", 
ЕЕ" 


] 
> 


СЕЕ ВР: 

[ 
"\u0030"-"\u0039", 
"\u0660"-"\u0669", 
и dor os 
"\u0966"-"\u096£", 
"\u09e6"-"\u0gef", 
"\u0a66"-"\u0a6f", 
"NuOae6e"-"NuOaef", 
"\u0b66"-"\u0b6£", 
"Nu0be7"="Nu0bef", 
"\u0c66"-"\u0c6f", 
"ocean nun Oe n" 
"\u0d66"-"\u0d6f", 
ео 
"\uded0"-"\uded9", 
с" 


+3 
a 


A 


— 


= e A ee iue 


i I AIR A 


Û] 
= 

5 
Jd 
t] 
m) 
pi 
+] 
O 
7) 
u 

+ 


РАББЕМ ү > 
RPAREN: "}" > 
epa sl E 
RBRACE: 777 > 
LBRACKET: "[" 


RBRACKET: "]" » 
SEMICOLON: ";" > 
СОММА: "," > 
Ber m 


TOKEN : /* OPERATORS */ 


Í 


— --- -- --- -- --- --- -- --- -- --- --- --- --- س  — —  — — — — — — — —_ ee‏ — . — لسا سے سے س A‏ س سے س 


TS IN NaS. UP aS I PS POPS TIN ASESINAS АСА 


ASA A ANA TA ATAT TINIAN A ANA ANTA AENEA 


ASSIGN: "=" > 
т ">> 

ER : 1f < ff > 
BANG: "I" > 


TILDA n ТЫ 
O В 
СОГОМ: “ш> 
ЕО: "==" > 

Dp. а=" >» 

GE: ">=" > 

NE: "!=" > 
"Cos. ||" ТА 
SC AND: "&&" » 
TIERE NDS 


DECR: Ee > 
RUS: "UTC 
MENUS: => 


DAR: UST IS 
И US 
EIISAND: "eU > 


pu ER. 5 
Mp MARS 
REM: "s" > 


пеи 
BSTSNEDSHIFT: “22° > 
BUNSTENEBSHIET. "727297 
PLUSASSIGN: "+=" > 
MINUSASSIGN: "-=" > 
STARASSIGN: "*=" > 
SLASHASSIGN: "/=" > 
ANDASSIGN: "&z" » 

ORASSIGN: "|=" > 

XORASSIGN: "^z" » 
REMASSIGN: "S=" > 
ESHIPTASSIGN: "<<=" > 
RSIGSNEDSUTEFZSSIEN. SS 
RUNSTENEDSHIEFTASSTEN: => 
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Bann c c O rss 


+ THE JAVA LANGUAGE GRAMMAR STARTS HERE + 


ОАО ОЕ Е ОКЕАНИИ Ууу к 


Ды 
Ж РБекоскашта Е. 
P i 


Triple CompilationUnit (Gamma gamma) 


(Triple cs = null;) 

f 

1 

//[ PackageDeclaration(í) |] 

//( ImportDeclaration() )* 
( cs = TypeDeclaration(gamma) )* 
“БОКУ 


[return сС5;} 


void PackageDeclaration() 
i} 
{ 


"package" Name() ";" 


void ImportDeclaration() 
(] 
{ 


importes Name () [ мо "+ tf ] r 


Triple TypeDeclarationiGamma gamma) 
[Triple res no) 


f 
b 


[BOOKAHIRADU EM abstract'" | “Lamal” | “public” > “class O 
cs = ElassDecltarat10n (gama; 


InterfaceDeclaration (gamma) 


Н) 
(return cs;] 


} 


РА 
* Declaration syntax follows. 
= 


+0 


ripie ClassDeclaration: Gamma gamma) 


Triple cs = null; 
Dual d = new Dual (cs, gamma! ; 


¡abstract | “final” 1 “public” 42 
"class" «IDENTIFIER» [ "extends" Мате!) | | "implements" NameList(j 
"I" (d 7» ClassBodyDeclaration(d.gamma) )* "Jj" 


f 

1 
ET SHUR 
return dcs} 


else í 
return Cs; 
епа if 


Dual ClassBodyDeclaration (Gamma gamma) 
{ 
Ti ple cs = null; 
Dual d = null; 
} 
{ 
( 
ж 
LOOKAHEAD (2) 
Statieinstializer|) 


er 
LOOKAHEAD( | “public” |. “protected” | “private” | Name) 0 0 
cs = ConstructorDeclaration(gamma) 
{а = new Dual (cs, gamma) ; } 


LOOKAHEAD( MethodDeclarationLookahead() ) 
Я = MethodDeclaration (gamma) 


d = FieldDeclaration(gamma) ) 

{ 
System.out.printInt "Censtraint вес: + deca), 
oystem.out.printin( Gamma: " c "eegamuad); 


return cds 
} 


// This production is to determine lookahead only. 
void MethodDeclarationLookahead() 
(1 
{ 
( “public” | "protected' | “private” | Е 
"Cial | “Native "о 
ResultType{) <IDENTIFIER> “(" 
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void InterfaceDeclaration(Gamma gamma) 
{Triple cS > null,) 
Í 


‚ “"apsrract' | "p yn у» 
"interface" «IDENTIFIER» | "extends" NameList' ] 
"(" ( InterfaceMemberDeclaration{gamma) )* "}" 


void InterfaceMemberDeclaration (Gamma gamma) 


{ } 


( 
l 


LOOKAHEAD( MethodDeclarationLookahead() ) 
MethodDeclaration (gamma) 

| 
FieldDeclaration (gamma) 


| 


Dual FieldDeclaration (Gamma qamma) 
{ 
Dual d = null; 


Abit IS ов ом DEI Vace is tae. Ea 
"brransrent^ |" volatrle'" nm” 
Type() d = VariableDeclarator(gamma) ";" 


{ 
return ds 
} 
} 


Dual VariableDeclarator(Gamma gamma) 

{ 

1 
Mriple"es = new Tripleis¢.Nextsymbol(), > 
String pic, 


id = VariableDeclaratorid() ( "=" cs = Variableinitializer (damma) | 
cs = Default () ) 
{ 
gamma = Gammarappenea пеи GommaTtemf id, es.ge wre), var), 
Dual д = new Dual (cs, gamma); 
return d; 


J 


Triple Default () 
{ } 
{ 
{return new Triple(sg.NextSymbol(), "");) 
} 


String VariableDeclaratorId() 
ГОЛ oa 
{ 
SIDENTIFIER- 
{id = token.image; } 
77 тат 
Lrepurm ds) 


| 


Triple VariableInitializer(Gamma gamma) 
[Triple cs - null;) 
{ 
/ * 
"{" | Variablelnitializer()( LOORAHEAD(2) "," VariableInitializer() 
еы SE 


Cs = Expression (gamma) 
{return cs; } 


) 


Dual MethodDeclaration (Gamma gamma) 


I 
1 


Triple es = null; 

Dual d = new Dual (cs, gamma); 

Gamma temp; 

Gamma param = new Gamma ("param"); 
) 
{ 

( “public” | “prctected”™ | "private" J "starre Te b li. L R| 
Final” | native’ | “synehrenizea™ )~ 

ResultType() 


temp = MethodDeclarator (gamma, d) 
{ 
while(!(temp.isEmpty())){ 
Gammaltem gi = (GammaItem)temp.getFromList(); 
gamma = gamma.Append (gi); 
param = param.Append(gi); 
temp = temp.removeFromList (); 
)//end while 


"throws" Namebist () | 
cs = Block(gamma) | ";" ) 


سه پم لس س 


Gammaltem Gl = new Gammaltem(d.id, cs.getType(), "proc"); 
GI.setParam(param); 

d.gamma = d.gamma.Append (GI); 

return new Dual (cs,d.gamma); 
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Gamma MethodDeclarator (Gamma gamma, Dual d) 
jsering 24, 
{ 
<IDENTIFEBR="1100 2 token: images. 
gamma - FormalParameters() ( "[" "]" )* 
{ 
d.id = id; 
return сапта; 


| 


Gamma FormalParameters() 
{Gamma temp = new Gamma("temp");] 


{ 
"(" [ temp = FormalParameter(temp) ( "," temp = FormalParameter (temp) 
) * ] " ) " 


ЕЕ cm 


Gamma FormalParameter (Gamma gamma) 
(Steig de 
{ 
Type() id = VariableDeclaratorld() 
{ 
gamma - gamma.Append(new Gammaltem(id, sg.NextSymbol(),"var")); 
return gamma; 


1 
J 


Triple ConstructorDeclaration (Gamma gamma) 
(Triple cs = null;) 


, 


t 


public" | "protected" "private" 1 
<IDENTIFIER> gamma = FormalParameters() [ "throws" NameList() | 
mt" JPODSREOONAHRADI2)SESUDITCIHEOCOUSUtPucborbnuoegtbiomni | 

( cs = BlockStatement (gamma) )* "}" 


(Leturmn ss} 


/* 
void Explicit сова о) 
i] 
{ 
“tnis Arguments c 
| 
super Arguments E 


} 
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void Staticlnitializer (J 
і) 
І 
1 

"Stacie Bleckt),) 
СА 
/ + 

* Type, name and expression syntax follows. 
+ / 
void Type() 
b) 

1 

{ 


( PrimztiveTypeti) | Namei) ) ( "[" "]" j* 


void PrimitiveType() 
(] 
{ 


"boolean" 
"char" 
"byte" 
"Shore 


1 "t 


DI 
"Long" 
"float" 


“double: 


void ResultType() 
() 
( 
"Sola 
| 
Type() 
) 


String Name () 


J+ 
* A lookahead of 2 is required below since "Name" can be followed 
* by a "tH when used Inthe context Gf an “Import Declarar lon”, 

f i 

16 ring таз! 

І 

1 

<IBENTTEIER> 
{id = token.image; } 
jx LT LOORAHEAD( 2) TS <TDENTTETER TY 


return Та) 


void NameList() 
{ } 
{ 


Name () 
Name) 
ne 
) 
ях 
* Expression syntax follows. 
a 


Triple Expression (Gamma gamma) 

Triple cs) 

{ 
( LOOKAHEAD( PrimaryExpression(gamma) AssignmentOperator() ) 
cs = Assignment (gamma) 


cs = ConditionalOrExpression(gamma) ) 
{return cs;) 
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Triple Assignment (Gamma gamma) 
Í 

Siri nas 

Triple es, 
J 
{ 

id = PrimaryLeftExpression() AssignmentOperator(! cs 
Expression (gamma) 

Í 

GammaItem item 


= gamma.FindType (id); 
if(item '- null)| 


String mod = item.getModifier(); 


if(mod.equals ("var") || mod.equals("acc")){ 
String tau = item.getType(); 
String tauPrime = cs.getType(); 
String alpha = sg.NextSymbol (); 


Constraintitem cil = new Constraintltem(tau, tauPrime); 
Constraintltem ci2 = new Constraintltem(tauPrime,tau); 
Constraintitem ci3 = new ConstraintItem(alpha, tauPrime) ; 


cs = cs.Append(cil); 
cs = cs.Append(ci2); 
cs св.Аррепа(с13); 
es..seuModi fins: (“cma”); 
cs.setType (alpha) ; 


1 


| 

else! 
System. Er. paltas e cubren Par seta Leche 
Syseem-ex1t( 0); 


}//end if 
} 
else í 
System.out.println("Unrecognized variable " + id); 


System.exit (0); 
}//end if 
return cs; 


void AssignmentOperator() 


(1 


им | "xt | via | "yl" | "acl" | non | "<<=" | >=" 


ES 
void ConditionalExpression() 
() 
{ 
CeneditionalürEsxpressiont) I "2" Expression.) 7 
ConditionalExpression() ] 
} 
ү 


+7 


| 


11 | 


Triple ConditionalOrExpression (Gamma gamma) 
f 
l 
Triple csl; 
Triple cs2 = null) 
í 
L 
csl = ConditionalAndExpression(gamma) ( "||" cs2 = 
ConditionalAndExpression (gamma) 
{ 
Ее lS nulli 
SEEING Call SS CSI р 
String tau2 = cs2.getType(); 
Constraintltem cil = new Constraintltemí(taul,tau2); 
ConstraintItem ci2 = new ConstraintItem(tau2,taul); 
csl - osl.Unionies2)Appengd(erl).Appendics2)5 


} 
) + 
return resis: 1 


) 


Triple ConditionalAndExpression (Gamma gamma) : 
{ 
Triple csi; 
Triple cs2 = null; 
} 
{ 
csl = InclusiveOrExpression(gamma) ( "&&" cs2 - 
InclusiveOrExpression(gamma) 
{ 
{ба жакту 
String taul = csl.getType(); 
String Жаш? = с52 лег рег); 
Constraıntitem cil = new Constralintitemtaul,tauzy, 
Constraintitem ciz = new Constraintltem(tauz2,taul); 
С = ОГ. Ио ПС. РЕНО С). 


} 
) * 


{return СЕЕ] 
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Triple IncelusiveörExpressıon (Gamma gamma) 
{ 

Turple csi, 

Triple сас += Rull: 


—— 


csl - ExclusiveOrExpression(gamma) í "|" csz = 
ExclusiveOrExpression (gamma) 
{ 
if(cs2 != null)! 

String taul = cs1l.getTypei); 
String tau2 = cs2.getType(); 
ConstraintItem cil = new Constraintltem(taul,tau2); 
Constraintltem сі? = пем Constraintltem(tau2,taul); 
cs] - csl.Union(cs2).Append(cil).Append(ci2); 


J 
) + 


{return csl;} 


Triple ExclusiveOrExpression(Gamma gamma) 


f 
1 


Triple cs1; 


Triple cs2 = null; 
) 
{ 
csl = AndEXpression(gamma) ( "^" cs2 = AndExpression (gamma) 
{ 
рсе V= pulla 


ЭЕ па аці = csl. geti pel; 

string tau2 = cs2.getType(); 

Constraintitem cil = new Constraintltem(taul,tau2); 
Constraintltem ci2 = new Constraintltem(tau2,taul); 
CSI = СЫ. Бор O 2) 


} 
) * 


{return csl; } 
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Triple AndExpression (Gamma gamma) 


( 
Triple csl; 


Triple cs2 = null; 
) 
{ 
csl - EqualityExpression(gamma) ( "&" cs2 = EqualityExpression (gamma) 
{ 
TITIES = null), 


Stering taul = csl.getlype(); 

String tau2 = cs2.getType(); 

ConstraintItem cil - new ConstraintItem(taul,tau2); 
ConstraintlItem ci2 - new ConstraintItem(tau2,taul); 
csl  csl.Union(cs2).Append(cil).Append(ci2); 


) 
MS 
{return esl >} 


} 


Triple EqualityExpression (Gamma gamma) 
{ 
Triple csl; 
Triple" Es "=p null 
} 
{ 
csl = RelationalExpression (gamma) ( ( "==" O = 
RelationalExpression (gamma) 
( 
ГЕПСЕ2 1= null) 
String taul = csl.getType(); 
Seringerau2 = es2.ger.yrel), 
Constraint Item cil = new, Constraintitem(taul, tauZ): 
Censtraintitem ci2 = néew-Constraintitem(tauz,taul) > 
esl -esjeuUnlonles2).nspendleil, -Appendiei2); 


} 


jo 
кештп csl! 


) 
/* 


void InstanceOfExpression() 
13 
{ 
RelationalExpression() [ "instanceof" Type() ] 
) 
el 


Triple RelationalExpression (Gamma gamma) 
{ 
Triple csl; 
Triple cs2 = null; 
} 
{ 
esl = ShiftExpression (gamma) ( ( "<" | ">" Л "<=" | ">=" с52 
ShiftExpression (gamma) 
[ 
СЕД ЕИО 
String taul = csl.getrlypet); 
String tCauz = csZ.getlyoe{); 
ConstraintItem cil = new Constraintltemí(taul,tau2); 
ConstraintItem ci2 - new ConstraintItem(tau2,taul); 
csl - csl.Union(cs2).Append(cil).Append(ci2); 


j 
pu 
(return С517) 


} 


Triple ShiftExpression(Gamma gamma) 
( 
Triple csl; 
Triple cs2 = null; 
} 
{ 
csl = AdditiveExpression(gamma) ( ( "<<" | ">>" | ">>>" ) cs2 - 
AdditiveExpression (gamma) 
( 
Ets. ЕЕ ТОИ 
string taul = E51.9eLTypet); 
Stering tauz — csz.getlvpet); 
ConstraintItem cil = new Constraintltem(taul,tau2); 
ConstraintItem ci2 = new Constraintitem(tau2,taul); 
csl = cs1.Union(cs2).Append (cil) ..Append (ci2); 


} 
Jot 


(return CSL; 


Triple AdditiveExpression (Gamma gamma) 
{ 
Triple csl 
Triple csZ - null; 
| 
{ 
csl = MultiplicativeExpression(gamma) ( ( "+" | "-" ) cs2 
MultiplicativeExpression (gamma) 
{ 
ECS cmt 
String taul = csl.getType(); 
String tau2 = cs2.getType(); 
Constraineltem ell e mew Constrauintitemittaul. tauzl, 
Constraintltem ci2 -— new ConstraintIlItem(tau2,taul); 
esl -osl.Unizonics2).Aopendíorl).Apbpend(ort2); 


return CSL; 


| 


Triple MultiplicativeExpression (Gamma gamma) 
{ 
triple аы, 
Triple cs2 = null; 
J 
{ 
esl = UnaryExpression(gamma) ( { ““" | "А | a" J—cspcs 
UnaryExpression (gamma) 
{ 
if (cs2 1= null): 
SETTING EAU Des] .getivpet); 
String tanz = 6s2-g br) 
ConstraintItem cil - new ConstraintItem(taul,tau2); 
Constraintltem ci2 = new Constraintltem(tau2,taul); 
csl = csl.Umioní(cs2) .Appendí(ecil). Append(e12) 


return csl: 


(л 
to 


Triple UnaryExpression(Gamma gamma! 
Ее cs] 

[ 

1 


бү "T" | "2" jj es - UnarybXpressiontgamma] 
| 


үт 


PrelncrementExpression() 


PreDecrementExpression() 

"f 
cs = UnaryExpressionNotPlusMinus (gamma) ) 
{return cs?) 


yx 

void PrelncrementExpression() 
{ } 

{ 


"Tt" PrimaryExpression(í) 


void PreDeécrementExpression(t) 
{ } 
{ 


--" PrimaryExpression() 
) 
7 


Triple UnaryExpressionNotPlusMinus (Gamma gamma) 
(Triple css 


OCTET IE CES = UnaryExpressicn(gJganma) 


LOOKAHEAD( CastLookahead() ) 
Castbxpressient) 


cs = PostfixExpression(gamma) ) 
{теригип Es. | 


Un 
Lad 


l= 
// This production is to determine lookahead only. The LOOKAHEAD 
// specifications below are not used, but they are there just to 
// indicate that we know about this. 
void CastLookahead () 
i} 
{ 
LOOKAHEAD (2) 


"(" PrimitiveType() 
| 

LOOKAHEAD("(" Name() "[") 

үн Маше () AO AUAM 

11 Name () 15 " ( ". | " ! и | " An | <IDENTIFIER> | ERIS | "super" | 
"new" | Literal() ) 


J 
и. 


Triple PostfixExpression (Gamma gamma) 
itripleres,} 
{ 
Es -ocPRramarvExoresslon(gamma) Igel owes] 
{return Се; 


j 


Z: 
void CastExpression() 
(1 
{ 
(LOOKAHEAD (2) 
Ее ( pepe OA A Una ey Expres son 
| 
"(" Name() ( "[" "]" )* ")" UnaryExpressionNotPlusMinus() ) 
j 
d 


Triple PrimaryExpression (Gamma gamma) 
(Triple es = mull} 
{ 


cs = Primaryererlwigammaj/, | Primarysuttixicgamma) J2 


tfeturn ess) 


Triple PrimaryPrefi> (Gamma gamma; 


{ 


Triple ras AUN, 
Triple csl = null; 
Triple cs2 = null: 
String 1a = null; 
Gamma temp = null; 
) 
{ 
(cs = Literal() 
| 
["this" "."] id = Name () 


{ 
Gammaltem item 


= gamma.FindType (id); 
itirtem !— null)i 


String mod - item.getModifier(); 


if(mod.equals("var") || mod.equals("")){ 
String tau - item.getType(); 
String alpha = sg.NextSymbol (); 
ConstraintItem cil = new ConstraintItem(tau,alpha); 
cs = new Triple(cil,alpha,""); 

} 

else if(mod.equals("proc")){ 
temp = item.getParam(); 

1 

) 

else{ 
System.err.printin("Secure Parse failed"); 
System.exit (0); 


}//end if 
} 
elsel 
System.out.printin("Undefined variable: " + id); 
// System.exit (0); 
temp = new Gamma ("temp") .Append (new Gammaltem("",sg,"")); 
)//end if 
} 
[ "(" [ csl = PrimaryPrefix(gamma) 
{ 
//create constraint type(csl) = type(param) 
String tauPrime = csl.getType(); 
String taul - ((Gammaltem)temp.getFromList()).getType(); 
temp емо ЕО, 
Constraintltem cil = new Constraintltem(taul,tauPrime); 
ConstraintItem ci2 = new Constraintltem(tauPrime,taul); 


/ ladd constr ко csl 
с51 = cs1l.Append (cil) .Append (c12) ; 


cs = cs]; 
} 
( "," cs2 = PrimaryPrefix(gamma) 
{ 
//create constraint type(cs2) = type (param) 
String tauDoublePrime = cs2.getType(); 
String tau2 = ((Gammaltem) temp.getFromList()).getType(); 
temp. removeFromList (); 
ConstraintItem ci3 = new Constraintltem(tau2,tauDoublePrime) ; 
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ConstraintItem ci4 = new Constraintltem(tauDoublePrime,tau2); 


f/esl Union csa 
csl = CSE UNIS оол)? 


/ Zaad constraint. tO es] 
csl = csl.Append(ci3).Append(ci4); 
cs = csl; 


rare 


"Supe. a <TBENTIETIER> 


es = Expression (gamma) "|" 


AllocationExpression () 
С 
) 


ecu es.) 


} 


Jee 

Triple Primary surerx | ) 
{ } 

{ 


"Expression 71" 
| 

"." «IDENTIFIER» 
| 

Arguments () 


} 
E 


String PrimaryLeftExpression() 

{ } 

{ 
A IN UU 
(return token.image;) 


} 


Triple -Lirerai!) 
i} 


| 
l 


( «INTEGER LITERAL» 
«FLOATING POINT LITERAL» 
«CHARACTER LITERAL» 
«STRING LITERAL» 
BooleanLiteral() 


NullLiteral() ) 


(return new Triple(í(sg.NextSymbol(,,""!; 


vola BooleanLiteral() 
13 
| 


"True" 


"false" 
} 


void NullLiteral () 
{ } 
{ 

"Nike 


} 
/* 


void Arguments() 
(] 
{ 
"OCT [ Arguməntbist i, р "у" 
} 


Triple ArgumentList (Gamma gamma) 
{ } 
{ 
Expression Eee, Expression ()) j) 


} 


Un 
м} 


void AllocationExpression() 
E 
| 

LOOKAHEAD (2) 


"new" PrimitiveType() ArrayDimensions(j 


new" Name() ( Arguments() | ArrayDimensions() ) 


| 
=” 


/* The second LOOKAHEAD specification below is to parse to 

* PrimarySuffixif there is an expression between the "[...]". */ 
/* 
void ArrayDimensions() 

{ } 

{ 

( -HOOKAHEAD (2). “| © Expression ()< "|" jl LOORAHEAD(Z)0%( n > 

} 

G 


22 
=, 

Triple Statement (Gamma gamma) 
рев п) 

{ 


Statement syntax follows. 


(LOOKAHEAD (2) 


е 
LabeledStatement () 
| 
7 
cs = Block (gamma ) 
| 
cs = EmptyStatement (gamma) 
| 
cs = StatementExpression (gamma) ";" 
| 
и > 
SwitchStatement () 
| 
gi 
cs = IfStatement (gamma) 
| 
cs = WhileStatement (gamma) 
| 
cs = DoStatement (gamma) 
и 
| 
ForStatement() 
| 
BreakStatement () 


ContinueStatement () 


ReturnStatement() 


Un 
00 


ThrowStatement () 
SynchronizedStatement 


TryStatement () 
m 

) 

{return cs;} 


} 


Jor 
void LabeledStatement () 
{ } 
{ 
<IDENTIFIER> ":" Statemenet) 
} 
К 


Triple Block (Gamma gamma) 
р | 
{ 

"{" cs = BlockStatementList (gamma) "}" 
return Gs; 


} 


Triple BlockStatementList (Gamma gamma) 
{ 
Trıpleres 12 nuli; 
Triple es, 
} 
{ 
( LOOKAHEAD (2) cs2 = BlockStatement (gamma) 


І 
1 


1f(cs2 != null) { 
if(csi == null} { 
csl = 652; 
} 
elsel 


String taul = csl.getType(); 
Sering Cal = cCs2- ge bE; 
Constraintltem cil - new ConstraintItem(taul,tau2); 
Constraintitem ci2 = new Constraintitem(tau2,taul); 
esl -= csl.Unionics2); 
с51 = csl.Append(cil); 
csl = csl.Append(ci2) 
)//end if 
)//end if 


, 


j 
yos 


[тесип бег! 


th 
© 


Triple BlockStatement (Gamma gamma) 
(Triple es) 
{ 
(LOOKAHEAD (Type () <IDENTIFIER>) 
cs = LetvarStatement (gamma) 


cs = Statement (gamma) ) 
{return cs; } 


} 


Triple LetvarStatement (Gamma gamma) 
{ 

Dua c 

Triple cs = null; 


d = LocalVariableDeclaration (gamma) ";" 
{gamma = d.gamma; } 
cs = BlockStatementList(gamma) 
[ 
Ес: = пы) | 
es нс сү; 
cs.setModifier ("cmd"); 
} 
elsel 
es = d.cs; 
} 


return cs; 


) 


Dual LocalVariableDeclaration(Gamma gamma) 
DUAL e 
( 
Type () 
d = VariableDeclarator (gamma) 
( "," VariableDeclarator(gamma) )* 
песи аба 


) 


Triple EmptyStatement (Gamma gamma) 


Lreeirnemewurıple(-g.Neze symbol) .“cmay:) 
} 
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Triple StatementExpression (Gamma gamma 
Je 
* The last expansion of this production accepts more than the legal 
* Java expansions for StatementExpression. 
Ey 
(Triple es +) 
| 
( LOOKAHEAD( PrimaryExpression (gamma) AssignmentOperator (gamma) ) 
cs = Assignment (gamma) 


cs = PostfixExpression (gamma) ) 
[return cs;] 


} 
m 


vold SwitchStatement {) 
{ } 
{ 
сема Сеп "("Expression(i) 777-747 
( SwitchLabel() ( BlockStatement() )* )* 


ыы 


void SwitchLabel() 
Ж 
| 


" 


"case" Expression() ": 


do "үн 


61 


Triple IfStatement (Gamma gamma) 
ym 
* The disambiguating algorithm of JavaCC automatically binds dangling 
* else's to the innermost if statement. The LOOKAHEAD specification 
* is to tell JavaCC that we know what we are doing. 
Hu 
{ 
Teiple es; 
Triple cal; 
Triple es2 - null, 


"Lf" "(" cs = Expression (gamma) ")" 

csl = Statement (gamma) 

[ LOOKAHEAD(1) "else" cs2 = Statement (gamma) | 

( 
Sering = С-. ОЕ: 
String taul = csl.getType(); 
String alpha = sg.NextSymbol(); 
Constraintltem cil = new Constraintltem(tau,taul); 
Constraintftem 212 = new Constraint em taul, tau); 
Consl rain item ¢i3-— new Constraintitem( alpha, tau); 
€sa— eS Unlon (csl Appendici Appendici Appendici), 
cs.setType (alpha); 
иена ео. 


ittes2 anull) 
String tau2 = cs2.getType(); 
Constraintitem cid = new Constraintitem(tau,tauZ2) ; 
ConstraintItem ci5 = new ConstraintItem(tau2,tau); 
ConstraintItem сіб = new ConstraintlItem(taul,tau2); 
Constralntitemn ci] = mew Constraimtitemn(tauZz, tau); 
cs = 

сѕ.Опіоп (с52) .Аррепа (сі4) .Аррепа (сі5) .Аррепа (сіб) .Аррепа(сі7); 
)//end if 


КЕСЕПЕТ (5; 
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Triple WhileStatement (Gamma gamma j 


{ 


} 


f 
1 


тері са! 


! 


ІШІ” 


Triple es2 = null, 


"while" "(" csl = Expression(gamma) ")" cs2 


| 


Statement (gamma) 


SEEING tau = еее ре. 
String tauPrime = cs2.getType(); 
String alpha = sg.NextSymbol(); 


Constraintltem cil = new Constraintltem(tau, tauPrime); 
Constraintltem ci2 - new ConstraintItem(tauPrime,tau); 
ConstraintItem ci3 = new Constraintitem(alpha, tau); 

( 


esl = csl.Union(cs2Z) .Append(c11). Append (ciz) .Append (¢13); 
csl.setType (alpha); 

селее нету ес тр" у 

return С51; 


Triple DoStatement (Gamma gamma) 


{ 


} 


/* 


Triple csl = null; 
Triple cs2 — null; 
"do" cs2 = Statement (gamma) "while" "(" csl - Expression(gamma) ")" 


HH 


{ 


String tau = csl.getType(!); 

String tauPrime = csZ.getType(); 

String alpha - sg.NextSymbol(); 

ConstraintItem cil = new Constraintitem(tau,tauPrime); 
ConstraintItem ci2 = new ConstraintItem(tauPrime,tau); 
Constraintitem €i3 = new Constralntitem(alohña, teu); 

csl - csil.Upnren(csZ2).Appendícil).Append(cr2) .ApDendicrs 
csl.setType (alpha); 

csl.setModifier("cmd"); 

BPeELUTi tes i: 


void ForStatement () 


(1 


{ 


ESE Zen [ ESILE) ] А 


ГЕ |“ 
[ Forlsdarei) ] "y 


Statement () 
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verd окт) 


(1 


Í 
l 


LOOKAHEAD( Type() «IDENTIFIER» ) 
LocalVariableDeclaration() 


StatementExpressionList() 


void cstatementbxpresssonbprsti) 
(1 
{ 


statemehtEspreselon Ma, 5 QL ron tes prossion O) >) 


void ForUpdate() 
{ } 
{ 
> tatementExpreessionbiste]) 


| 


void BreakStatement() 
{) 
{ 
Break 202 IDENTTEIER DT 


1 
) 


void Continuestatement() 
(] 
{ 
“eontıinue. | <TDRERTTPIEL. | "и" 
) 


void ReturnStatement () 
{ ] 
{ 
"return | Expression) I" 


| 


void ThrowStatement() 
11 
{ 
throw" Expression) ":” 


) 


void SynchronizedStatement () 
{ } 
{ 
"svnebronized TOE Баркезетепі) ") "ОБСЕ 


| 
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void TryStatement () 

{ } 

{ 
TETY s. DLocki) 
( "catch" "(" FormalParameter() ")" Blockí() )* 
[ "finally" Block() | 

j 

* 
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APPENDIX B - STATIC ANALYZER SOURCE CODE 


67 


к а EE 


// File: Gamma.java 
// Date: 24 Feb 98 


// 

// Author: LT James D. Harvey, USN 

= 

// Purpose: Developed as part of a secure information flow static 
2 analyzer. Basically a linked list. 


Дт uM ML Css c wb uo ^ M ا‎ S 


package thesis; 
import Јама зо; 


public class Gamma 

{ 
protected Object obj; 
protected Gamma next; 
protected Gamma rear = null; 
publie String name; 


public Gamma (String name) 


{ 
this.obj = null; 


enis nest = this; 
this.name = name; 
if(rear == null) 


rear = this; 


private Gamma () 

{ 
СПІС Ору епс. 
thre.next = this; 


public Object getFromList() 
{ 


return ГПБ ОБТ; 


} 


public Gamma removeFromList () 


( 


return this.next; 


u 


public synchronized boolean isEmpty() 


Í 


if(this == rear) 
return true; 
else 


return false: 


68 


public Gamma Append (Gammaltem gi: 
{ 
Gamma ч = пем бапта (); 
g.obj = аі; 
aa A те 
return 4; 


public Gammaltem FindType (String name) 


І 
l 


Gammaltem temp = null; 
Gamma list = this; 
boolean matchFound = false; 


do { 
ifílist.obj == null) 
Les rn pul; 


String item = ((Gammaltem)list.objj.Name; 


if (item.equals (name) ) { 


temp - (Gammaltem)list.obj; 
matchFound = true; 
| 
else (í 
list = (Gamma) list.next; 
t//end if 


'while(!matchFound); 


НЕ comp 


Public String tegtring() 
{ 
if (i SEP ey () ) 
кесіпті” 
else 


БЕ as exa 


1 
J 


)//end gamma class 
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ST + + + + + + + + + + +O + -+ + + j + + Ú + + Ñ+ + + + + Ñ+ + y y de Ñ+ + + + + + + Y de Ñ+ + + + + + + 
// File: Gammaltem.java 
// Date: 24 Feb 98 


7 

// Author: LT James D. Harvey, USN 

y 

// Purpose: Developed as part of a secure information flow static 
Pi analyzer. It is an item to be placed into gamma. The 
nd structure consists of a name and a type. The type may 
27 consist of 1-3 fields. 


KL FFIR EFFIZIENTEN o E E A EE E RES AR TT 


package thesis; 
трое ао 


public class Gamma I ten 

{ 
protected String Name; 
protected String "Type; 
protected String Modifier; 
private Gamma param; 


public Gammaltem(String Name, SymbolGenerator sg, String mod) 
{ 


this.Name = Name; 
this.Type - sg.NextSymbol(); 
this.Modifier = mod; 


public Gammaltemi(sString Name, String Type, String mod) 
{ 


this.Name = Name; 
this. fype = Type; 
this.Modifier = mod; 


public void setParam(Gamma gamma) 


I 
1 


this.param = gamma; 


} 


public Gamma getParam() 


( 
геп Ens, pa Lam 


} 


públic string getName) 
( 


return this.Name; 


public String getiyper) 
{ 


return пт Туре; 
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public String getModifierf] 
{ 


return chis.Moditier; 


Ва 
| 


if(Modifier.equals|" proc JM 


return "(айе ти ре ^ Modrirriret ыкы улга bp n, 
| 
elsel 

return ( "(" + Name + ":" + Type + Modifier + ")" ); 
)//end if 


} 
)//end class 
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"m 
47 
mt 
/ / 
/ / 
7 
L^ 
/ / 
n 
/ / 
/ / 


pa 


pu 
{ 


+ + + + + + + + + + e + jk k + 4 + + + + e e + + de ل‎ + + + + + + + + Ó+ + + + + + Ж e e + + + % * +k لے‎ +4 +4 + 4 + + ++ + ++ + + + * + + + + 


File: Triple.java 
Date: 24 Feb 98 


Author: LT James D. Harvey, USN 


Purpose: Developed as part of a secure information flow static 
analyzer. The structure consists of a constraint set 
and a principle type. The type may consist of 1-2 
fields. 


++ + + + + + + + + + + + + + + + + + Í j+ + + + + + e e ل لا ل لل ل‎ Í+ + + + + 4 Ñ+ + Y Y + j+ + Í+ Ñ+ + j j Ñ+ obo j 4 + 4 j+ + + Ñ+ + + + لا‎ 5 + x 


ckage thesis; 

blic class Triple 

private: LinkedList Constraint Sert; 
private trino Type; 


private String TypeModifier; 


public Triple() 
{ 


this. Iype ~ "Type"; 
this.TypeModifier - "mod"; 
Constralint5er = new LinkedList name”); 


рЫ Triple Const raintitcem ci, Streing ype, String Modifier) 
{ 

ConstraintSet = new LinkedList ("name") ; 

this.Type = Type; 

this.TypeModifier = Modifier; 

ConstraintSet = ConstraintSet.addTolList(¢2) ; 


Pubic TripbetiinkedlList Constraimeser, String Typo. Sirina Y rep) 
{ 

this.Type = Type; 

this.TypeModifier = Modifier; 

this.ConstraintSet = ConstraintSet; 


public Triple(Sstring Type, String Modifier) 
{ 
this.Type = Type; 
this.TypeModifier = Modifier; 
ConstraintSet = new Linkedlist ("name"); 


public String get Type) 
{ 
return this. Type: 


] 
J 
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public String getModifier() 
{ 
return this.TypeModifier; 


public void setModifier(String Modifier, 
{ 
this.TypeModifier - Modifier; 


public void setType(String type) 
{ 
cth1s.[vpe = type; 


public Triple Union( Triple GELTO) 
{ 
LinkedList temp = this.ConstraintSet; 
if((ConstraintItem) temp.obj == null) { 
return new Triple lsetirwo.Constraintoct,tiis.1 Der 
this.TypeModifier) ; 


a 


while(temp.next.obj !'= null) { 
temp. оешу ло рг 


J 


temp.next = setTwo.ConstraintSet; 
this.Constraintset.rear = setTwo.Constraintset. rear; 
return new Triple (this. Constraintset, this. 1 ype, unre. | ypemcal iver), 


public Triple Append (ConstraintItem C) 
{ 
return new Triple(this.ConstraintSet.adaToListiG), has. Type, 
this.TypeModifier); 


u 


public String Tostring() 


{ 

return("("+"["+ ConstraintSet +"]"+","+ Type + TypeModifier +"}" ); 
} 
J 


lend class 
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а ti 


// File: ConstraintItem.java 
// Date: 24 Feb 98 


// 

// Author: LT James D. Harvey, USN 

Z z 

// Purpose: Developed as part of a secure information flow static 
ий analyzer. The structure consists two types. 


Ju e seek iy e rape E Eo ok ut TOT etki TE DT АС A de O 


package thesis; 


public class ConstraintItem 
| 
protected String Typel; 
protected String Type2; 


publie Constraintltemistring Typel . String Type) 
| 

Las: Type Typel; 

this. Types = Түре2; 


pube Sering CoStringi) 


{ 
return ( "ye $ Typel ДЕ N ХВ Туре2 3 г" ); 
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A ОУ 


// File: LinkedList.java 
// Date: 24 Feb 98 


FE 

// Author: LT James D. Harvey, USN 

"i 

// Purpose: Developed as part of a secure information flow static 
Ly analyzer. 


JJ op SA AA A EDO EMMEN E AS ЕЕЕ ЕС 


package thesis; 


public class LinkedList 

{ 
protected Object obj; 
protected LinkedList next; 
protected LinkedList rear = null; 
publlc String name; 


public LinkedList(String name) 
І 
1 


this.oDj = nUll; 


thrs.next = thas; 

this.name = name; 

LE (rear == HOLL, 
rear = this; 


private LinkedList() 
f 
1 

this -GDJ = nally 


се. нее =. 


ыы 


public LinkedList adaToList(Objeet о) 
{ 
LinkedList 1 = new LinkedList(); 
l.obj = 0; 
i.next = this; ° 
return 1: 


public Object getFromlist () 
{ 

return ер? 
| 


public LinkedList removeFromList() 


| 


return this.nest: 


~J 
(. 


public synchronized boolean isEmpty() 


| 


if(this == rear) 
return true; 
else 


return false; 


рибе гос созса 
{ 


if(isEmpty()) 


return ue 
else 
returni(thiscob] 4 '" "4 thrs.next): 


] 
J 


}/fend class 
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Ро EA 
// File: SymbolGenetator.java 
// Date: 24 Feb 98 


di 

// Author: LT James D. Harvey, USN 

23 

// Purpose: Developed as part of a secure information flow static 
// analyzer. Generates new type variables 


ие 


package thesis; 


IDO тала La 
import java.lang."; 


public class SymbolGenerator 
{ 


private int counter = 0; 
private static string TAU teu 3 


public synchronized String NextSymbol () 
{ 
String Symbol = TAU + counter; 
сонет. 


return- Symbol; 


públie Statiée vola main (steing [|| args) 


| 
SymbolGenerator sg = new SymbolGenerator(}; 


Or O ae ee 
5bystem.out.println(sc.NextoymioL())> 


ut 


}//end class 
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Мал аа Ааа Экс тата аа EN RT EN ST U REIF N I IN EI II NEE I opum 


// File: SymbolGenetator.java 
/ / Date: Z4 Feb 98 


/2 

// Author: LT James D. Harvey, USN 

77 

// Purpose: Developed as part of.a secure information flow static 
А analyzer. A data structure 


کک I I ЖУАС A HF UI I EL FI AAA‏ دد رر 


package thesis; 


I- 


2 


0 


S; 
public Gamma gamma; 
рае String Las 


> 
С 
e 
wr 
er 
NQ 
rj 
x 
i2 


D 
Б 


public Dual (Triple cs, бапта чапта) 


S + < = Coy. 
= 
الم‎ 


3 
.gamma = gamma; 


نے 
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APPENDIX C - TEST PROGRAMS 
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I dig i Al A A E E E E E A E 


// File: test.java 
// Date: 24 Feb 98 


// 

// Author: LT James D. Harvey, USN 

"A 

// Purpose: Developed as part of a secure information flow static 
А analyzer. 


П TFT TI TI EI TE I EL A N Er аа е 


class test 


Í 
public static уота рі тас 2, Lat oy) 


The output of the statıc analyzer on the above program produced the following results: 


Constraint set IT: = r TU Ti, (0, 


Gamma: p1 : t3 proc (Tovar, Tıvar) 


Results show, with x: tovar and y: tivar, that to < tı. This is what we would expect to 
ensure secure flow since the program assigns the value of x to y. 
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ООО A ss l r x 


// File: test.java 
// Date: 24 Feb 98 


// 

// Author: LT James D. Harvey, USN 

EL 

// Purpose: Developed as part of a secure information flow static 
Ti analyzer. 


O a E йа асылы C ай: 


class test 


{ 
PUBLI CSSC ев pitin ы U OU) 


if(x == 0) 
you 
else 
y = I} 


The output of the static analyzer on the above program produced the following results: 


Constraint set: {17 = 1s, 17 = 1, Te = 13, Ts = 05, 03 — 72, 
0515155 t GOYO UT 


Gamma: pl: Tgproc (ToVar, Tivar) 
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ТЕГ ката аа тақта A ЕЕ 


// File: test.java 
// Date: 24 Feb 98 


// 

// Author: LT James D. Harvey, USN 

77 

// Purpose: Developed as part of a secure information 
y flow static analyzer. 


Sf er EN a A i papi i libri i pri ES 


Class test 


{ 
publico Statice void ре, INE 
{ 


int a = x; 
int b = 0; 
while (a > Q){ 
b =b + 1; 
a = asa a 
} 
y = b; 


The output of the static analyzer on the above program produced the following results: 


Constraint set: (114 = T12, T12 < T4, Tg = T4, Ts = T4, T2 < 14, Ти = Te. 
се ев TS do m 7 
Tio = To, 12 € to, tj4 € 015, (1 = 113, 13 < Т, То < 72) 


Gamma = pl: t2 proc(xovar, Tıvar) 


A partial trace of the analysis of this program is shown in Chapter VI. 
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P AS DS X ааа ааа аа A RE ОИСЕ 


// File: test.java 
// Date: 24 Feb 98 


KH 

// Author: LT James D. Harvey, USN 

ры 

// Purpose: Developed as part of a secure information 
// flow static analyzer. 


EIERN ER ENTER ER A E ыы ы айы ar 


class test 


{ 
public static void pliant &, int Y) 
| 


INL ag =a: 

Tnt D = Ue 
while (a > 0)4 
р = р ЕЕ; 

а = а - 1; 
| 
у = Б; 


public static void pelinmt 3, Пп D) 
{ 


) 
plib,a). 
lelsel 
рта, ру; 


) 
b = а + Ы; 
} 


public static void main() 


{ 


int s = 1; 
int t = 8; 
do { 
Petey cle 
ce ES 
РЫП ег s) 


oc 
„ә 


The output of the static analyzer on the above program produced the following results: 


— 


The First procedure, pl, produces: 


Constraint set. Tu ~ t vio бое ео ta 
Un = 06, 06 = Us 07 = 16, SE O SE 
ти =, то Contig ОЕ Cie mj 


Gamma: pl: Tı2proc (mvar, Tıvar) 
2. The second procedure, p2, produces: 


Constraint set: { Тз0 = 117, (29 -- 117, (20 - 717, 719 < 117, 017 ^ (15, 
Tis = U7, Vis 87,092 T30, C30 = Tió 121 = 120» 
Us Dort = 093.0 0o ges Cray (s loz, los = Las) 
I >U TS ST, GOST O OO 10. C95 TO, 
716 = 725, 115 5 126, 128 = 70, (27 - To, 715 = 727, 716 © 123, 
732 < 730, 130 = 116, T31 = 030, 715 < 730, 716 < 731 ) 


Gamma: p2 : t,7 proc (Tısvar, Т16Уаг), 
pl: tj2proc (tovar, tivar) 


3. The third procedure, main, produces: 
Constraint set: {T42 < T40, T35 = T40, T41 = T40, T34 5 T40, 
137 = (85, Cig eis, Cis — 115, Cates 036, 
139 © 137, 137 - 134, 138 - 137, 134 < 137) 
Gamma: main: tj»proc(), 
p2 о түургос(а` Тзуагу Б: т суаг), 
pl:tUus»proc(x:tovar, у?тумаг) 
4. Gamma ıs updated with each procedure. 
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